How not to discard half of the cases in QKD 
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All known QKD protocols require the parties to discard the results when they have chosen dif- 
ferent bases. In this paper we show that it is not necessary. We give examples of QKD protocols 
that are as safe as standard ones but do not involve the discarding of the results when the bases 
are different or even that do not require the announcement of the bases. This leads to greater 
communication channel capacities and render some eavesdropping strategies useless but the most 
important thing is that they provide us better insight into the general structures that underlie the 
quantum cryptography and help to establish the boundaries of what is possible and what is not. 

PACS numbers: 03.67.Dd 



All known quantum key distribution (QKD) protocols, 
whether entanglement based like Ekert's ^ or not like 
BB84 [2], share one common trait. The communicat- 
ing parties choose some measurement bases and later an- 
nounce them to find whether or not did they manage to 
establish one bit of secret key. In most of the protocols 
they can do this in one half of the cases. In the rest of the 
protocols this ratio is similar or less Q . The only excep- 
tion is the efficient protocol described in [3| . Though the 
parties discard the cases when they have chosen the dif- 
ferent bases this happens very rarely due to the fact that 
the bases are chosen with different probabilities. This 
leads to the similar advantages that protocols described 
in this paper have when it comes to communication chan- 
nel capacities but, since the bases are still announced by 
both parties, does not provide the protocol presented in 
[3| with similar advantages when it comes to security is- 
sues. Before we present the protocols that do not require 
discarding of the cases when the chosen bases are differ- 
ent, let us take a look at the QKD from the probability 
distribution point of view. 

All QKD protocols can be viewed as follows. There is 
a joint probability distribution p(a, 5, A, B). Each of the 
two parties ^ has knowledge of the two of the variables 
(Alice knows her choice of the basis a and the measure- 
ment outcome or the value of the bit coded A and Bob 
knows b and B). The protocols are constructed in such a 
way that knowledge of two variables gives nothing, while 
the knowledge of three gives the fourth, but not in all 
the cases. There are combinations of variables values for 
which the fourth one is automatically known and there 
are combinations that give no information about it. Later 
the parties publicly announce one of their variables a and 
6, so now they both have the necessary knowledge of three 
variables, while anyone listening to the public channel has 
only two. They also know whether this combination of 
variables leads to the fourth one (this happens if a = 6) . 
If the bases are randomly chosen, then from the probabil- 
ity distribution point of view each variable has the same 
status, but in all existing protocols variables denoted by 
lower case letters (bases) are preferred. We conjecture 
(and prove) that giving equal rights to all variables can 



be beneficial to quantum cryptography. 

First let our parties reveal A and B (that is the out- 
comes) instead of a and b (that is the bases) . Let them 
do that in the standard BB84 protocol. The outcomes 
will be the same in 75% of the cases (always if they have 
chosen the same bases and in one half of the cases when 
they have chosen different ones) , these runs of the proto- 
col will be discarded. If the outcomes are different then 
they are sure that they have chosen the different bases 
and they can use that to generate the bit of the key. Lis- 
tening to the public channel gives the third party noth- 
ing, since being sure that the bases are different is not 
enough, knowledge of a or b is also necessary. This naive 
example gives us no benefit when it comes to channel ca- 
pacities [6]. On the contrary instead of discarding 50% 
of the cases we discard 75%, but it provides us with some 
important insight. We see that bases do not have to be 
necessarily announced. And since they do not, there may 
be no need to discard the cases when they are different. 

Before presenting the QKD protocol that does not re- 
quire the parties to discard almost anything let us take 
a look at a Bell inequality that will provide safety crite- 
rion. Let us consider the simplified version of CGLMP 
inequality fi\ given by Zohren and Gill ^ 



Ad(V) = PiA2 < B2) + P{B2 < Ai) 

+P{Ai < Bi)+P{Bi < A2) > 1 



(1) 



Here Xi denotes the measurement outcome of party X in 
the basis i. The outcomes can take the value 0,l,..,d — 1. 
In Q it is shown that for quantum probabilities this in- 
equality is violated and as the dimensionality of the sys- 
tems d rises there are states for which Ad approaches 
zero. Surprisingly, these optimal states are not maxi- 
mally entangled. For optimal states and huge d's this 
implies that one can find measurement bases for which 

P{A2 > B2) ~ 1, P{Ai >Bi)^l (2) 

P{B2 > Bi) « 1, P(Bi > ^2) « 1 (3) 

Which means that the following is almost always true 

B2>Ai> Bi (4) 
Bi>A2> B2 (5) 
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If Alice and Bob announce the measurement outcomes 
and discard the cases when they both announce the same 
number (which will be a very rare event) , they know their 
choices of bases. Explicitly, if Alice has the greater num- 
ber they both know that they have chosen the base with 
the same index (note that Ai is a different base than Bi), 
if Bob has the greater number they have chosen the bases 
with different indexes. It is clear that this phenomenon 
can be exploited to create quantum key distribution pro- 
tocol. 

One of the possibilities for the QKD is: 

One subsystem of the state \tp) = X^fcTo^'^iN) (which 
A's are chosen in such a way that lip) maximally violates 
the inequality ([1])) is being send to each party, which 
measures it in one of the bases composed of the vectors 



\VA,a 



J=^exp ^i^/c(i + aa)) (6) 



fc=0 
d-1 



1^')^.^ = ^J2e^p(iY^i-J+Pby)\l)B, (7) 

a,b — 1, 2 is the index of the chosen basis ai = 0, q;2 = 
i, /3i — J and /?2 = —j- They announce their results 
but keep the choices of the bases secret. The only (very 
rare) case when they discard the run of the protocol is 
when they both announce the same outcome. The choice 
of basis of one previously established party (say Alice) 
is going to be the key if the eavesdropping check finds 
nothing. For this check the parties randomly choose some 
runs of the protocol, announce their choices of the bases 
and compute the value Ad{ip)- Since {ip) is the optimal 
state and the bases are complementary, any measurement 
or substitution of another state necessarily leads to Alice 
and Bob receiving altered (not optimal) sate for which 
the value of Ad{tp) is greater. If this value differs too 
much from the expected the presence of the eavesdropper 
is assumed and the protocol is aborted. 

This protocol has several advantages. If d is big 
enough, almost certainly no cases will be discarded and 
this whole step can be omitted. In this case every run 
of the experiment generates one bit of the key (if we do 
not count some runs needed for the eavesdropping test). 
Furthermore if the Alice's choice of the basis is going to 
be the key than it is possible for Bob to send only one 
bit to Alice on the public channel while the rest of the 
classical communication is done one-way (Alice to Bob), 
which can be beneficial in some cases. To do so only Al- 
ice announces the outcomes (which further complicates 
the job of eavesdropper) of her measurements and Bob 
always can find what her base was. Next Alice chooses 
randomly some of the cases and sends both variables to 
Bob, who computes Adiijj) and sends back his only bit, 
which carries the information whether the eavesdropper 
was present or not. 

Unfortunately this protocol has also one serious disad- 
vantage. It is highly impractical, since it works fine only 
for extremely huge d's. For small d's and (O are not 



so often true and when they are the outcomes are usually 
equal. The situation gets better as Ad{^) goes to zero 
but it falls off slower than logarithmically with the di- 
mension The dimensions when it starts to be better 
than standard ones are of the order 10'', which makes its 
physical realization far beyond the scope of the current 
technology. Nevertheless, it proves that it is possible to 
construct a protocol that does not require any run to be 
discarded. 

The question arises. It is possible to construct a pro- 
tocol that does not require any run to be discarded.. 
The role of bases and the measurement outcomes can be 
swapped. Is it possible to construct a QKD protocol that 
involves announcement of the bases but does not require 
us to discard anything? The answer again is: yes. 

Consider a following protocol: 

Alice encodes a random dit in one of the two mutually 
unbiased bases, given by vectors That is, if she wants 
to encode a dit with value i = 0, 1, .., d— 1 in the base a — 
I, 2, then she prepares the system in the state \i)A,a- She 
sends it to Bob. For each system received Bob randomly 
chooses one of the two modes of operation. The first 
mode will be used for the key generation, while the second 
one will be used for the eavesdropping detection. 

• If Bob chooses the key mode of operation, he ran- 
domly chooses one of the bases given by vectors 
([7]) and makes his measurement. Note that in this 
mode Bob always measures system in a different 
base than it was prepared. Nevertheless, we will 
show that Bob is able to decode the dit of the key 
with the probability high enough to make this pro- 
tocol effective. 

• In the security mode he randomly chooses one of 
the bases that Alice could have encoded her dit in 
([6|) and measures the system. 

After all the systems are sent and received Alice an- 
nounces her choice of the bases and Bob announces his 
choice of the modes. All the cases when Bob had chosen 
the security mode are used to check for eavesdropping 
in a standard manner. That is, both parties announce 
their results and bases. If they chose the same bases 
they should get the same outcomes. If this is not the 
case, they can assume that they had been eavesdropped. 
This mode provides the security against eavesdropping 
which works exactly as in the protocol presented in [9]. 

How does Bob decode the dit when he has measured 
the system in a different base that it has been prepared? 
It happens that knowing both of the bases and his result 
Bob knows that one of the possible letters of the alphabet 
is much more probable than the others. The probability 
that Bob gets result j, when he had chosen base b and 
Alice prepared the state \i)A,a is 



p{a,b,ij) 



1 



d (1 



cos{^ii+j+aa-l3b)) 



(8) 
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If a + 6 < 4 then the most probable outcomes are those 
satisfying i+j — mod d. li a = b — 2 then they satisfy 
i + J = — 1 mod d. 

Note that the structure of ([5]) assures that we have 
only d possible values of p{a, b, i, j) and for each j the set 
of possible values is the same regardless of the choice of 
a, b and i. 

We end up with situation in which no cases are dis- 
carded but the structure of the protocol itself introduces 
some errors in the key. To answer whether or not this 
protocol allows for the faster key generation we need to 
look at the channel capacities. 

Classically noiseless channel with d-dimensional input 
and output alphabets has the capacity logd. When it 
comes to QKD, even with perfect quantum channels this 
value drops to ^ log d. It is due to the fact that the 
channels used in cryptography can be viewed as erasure 
channels, that is channels that do not change the input 
with the probability 1 —p and erase it with the probability 
p. In standard QKD p = 50% which corresponds to one 
half of the cases when Alice and Bob have chosen different 
bases and had to discard (erase) their results. 

For the sake of clarity let us look at BB84 protocol 
from the point of view of information channels. The bit 
encoded by Alice in some quantum two-level system is 
send to Bob by a channel Afs — J^2 ° A/i . Afi is a quantum 
channel which we will assume to be perfect and not deal 
with. J\f2 is a classical erasure channel with the capacity 
i. Since A/i is noiseless, Afs also has the capacity of i. 
For qdits in general this becomes the mentioned ^ log d. 

If we again assume that the quantum part of the chan- 
nel is perfect then the capacity of the channel Af2 which 
is the same as the capacity of the whole channel Af can 
be easily computed (see footnote [lo| ) 

C(AA) . 21ogrf+ ± £ ^KM^iog^(^ (9) 

a,b— 1 iJ—0 

This capacity is greater than C{Afs) = ^ logd for d > 3 
as Fig. 1 shows. 

Introducing some noise in the part of the channel Af2 
does not change anything in the analysis, since it affects 
the standard protocols and this one in exactly the same 
way. 

Note that this protocol can be slightly modified to have 
another interesting property. If Bob in the key genera- 
tion mode always chooses the base 5 = 1 he knows that 



regardless of Alice's choice a+b < 4. Then he is sure that 
Alice's and his most probable outcomes satisfy i + j — 
mod d so there is no need for Alice to announce her basis. 
We end up with a protocol in which nothing is publicly 
announced! Unfortunately this modification allows Eve 
to introduce less errors by eavesdropping , but is true 
only when she is using certain strategies. Other strategies 
that relay on the knowledge of the announced variables 
are not possible at all. 

(■"iA'j 
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FIG. 1: The ratio of channel capacities for standard QKD and 
the "practical" protocol presented in this paper as a function 
of the Hilbert space dimension 



We have presented an approach to quantum cryptogra- 
phy, in which probability distributions are considered and 
each variable (setting or outcome) is treated in the same 
fashion. This allows for more flexibility in protocol design 
which in turn leads to protocols with higher capacities 
and other advantages. For example, note that in both 
protocols only one variable (or even none in the modified 
practical one) is announced publicly, which can make the 
eavesdropper work significantly harder (the eavesdrop- 
ping strategies that require the knowledge of the pub- 
licly announced data are simply not possible). QKDs 
presented in this paper are by no means the end to the 
possibilities that arise before quantum cryptography if 
we choose to look at it from a different angle. 

The author would like to thank S. Zohren for shar- 
ing his numerical data, M. Zukowski for helping to make 
this paper more clear and H.-K. Lo for bringing paper 
Pj to authors attention. This work is part of EU 6FP 
programme QAP contract no. 015848. 
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corresponding induced random variable at the output 
channel. For QKD the only appropriate input distri- 
bution is the uniform one p{x) = i since we want 
to get a totaly random key. So (|10|l becomes C{M) = 
H{X) + H{Y) - H{X,Y). From this we arrive at p. 
[11] Consider the following strategy for Eve. She intercepts 
the system and measures it in the basis (O with 6 = 1. 
After the measurement she resends the system to Bob 
in the state that the system collapsed to. If this run of 
the protocol is used for the security check then Eve's 
actions will be detected with the same probability for 
both modified and unmodified versions of the protocol. 
But in the modified verison Eve gets the same outcome 
as Bob with probablity 100%. In the unmodified version 
this probablity is only ^ go Eve needs more attacks to 
gain the same amount of the information about the key. 



where p{x) are input distributions for X and Y is the 



